From: Church, Chuck (cchurch@xxxxxxxx)
Date: Fri May 17 2002 - 14:24:32 GMT-3
I don't think this is code red or Nimda. We had a server yesterday that
killed our 2611 firewall feature set router from the inside. 100%
utilization. The server (MS IIS) had been patched months ago to cover the
Nimda stuff, but this was something different. I applied a patch from April
for IIS and it seemed to do it. Check out knowledge base article Q319733,
or better yet, build an Apache server :)
Chuck Church
Sr. Network Engineer
CCIE #8776, MCNE, MCSE
US Tennis Association
70 W. Red Oak Lane
White Plains, NY 10604
914-696-7199
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Scott Morris
Sent: Friday, May 17, 2002 9:30 AM
To: 'Murali Rao'; ccielab@groupstudy.com
Subject: RE: Slow links....Nimda/codered???
Putting everything on one interface is a bit difficult. If memory
serves, the ACL is applied to packets before the classification and
marking (look up "order of operations" on CCO to verify). With this in
mind, you put your ACL's on a different interface than your marking one.
You mark on the way in your outside interface and you drop on the way
out your inside interface.
Note, you will still process packets. Either way, they still go across
your link. So from an outside link standpoint, you'll still see the
packets. However, in killing them, there will be no responses, so your
usage should drop significantly! Hope that helps on the boxes you have.
I know it will on the 3660, but I can't remember whether this is
supported on the 1750. I think so though.
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Murali Rao
Sent: Friday, May 17, 2002 6:45 AM
To: ccielab@groupstudy.com
Subject: OT: Slow links....Nimda/codered???
Hello All.
Sorry for this OT but i need some help immediately.
My customer's network has become dead slow since the last 4 dyas. It is
a hub spoke topology with 3660 as hub and 1750s as spokes.
The txload and rrxload on sh int serial output shows as
much as 255/255 even when there are no user applications running.
Suspecting problems with serial line, i brought up the
backup ISDN and the same thing repeats on the ISDN as well.
So there definitly is a heavy traffic being pumped into the network. No
high cpu utilizations seen as well. Suspecting nimda/codered worm, i
found on the CCO, configurations to block these worms from crossing the
routers. I have tried these configs at all the routers with out any use.
Can someone have a look at these configs and see if i am missing
something or suggest any other way of killing this issue? This is
making the links so slow that voip calls are suffering.
class-map match-any http-attacks
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"
!
!
policy-map mark-inbound-http-attacks
class http-attacks
set ip dscp 1
interface fastethernet 0/0
ip access-group 189 in
ip access-group 189 out
service-policy input mark-inbound-http-attacks
access-list 189 deny ip any any dscp 1 log
access-list 189 permit ip any any
I have applied the policy map to ethernet interfaces on all
the routers thinking that this will block any patterns that match the
class-map.
Am i doing somehting wrong here? can this be handled in a different way?
Any help is appreciated.
Murali.
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:59:00 GMT-3